Miscellaneous Core and template options to make targetted hacks more difficult;

Security is an admittedly technical subject, but Apocalypse Meow strives to help educate “normal” users about the nature of common web attacks, mitigation techniques, etc. Every option contains detailed explanations and links to external resources with additional information.

Knowledge is power!

For the less normal among us — system administrators, developers, and other IT professionals — there is also a Premium Version, packed with administrative tools, data visualizations and export functionality, and complete WP-CLI integration for those with nerdier workflows.

Requirements

Due to the advanced nature of some of the plugin features, there are a few additional server requirements beyond what WordPress itself requires:

WordPress 4.4+.

PHP 7.2 or later.

PHP extensions: (bcmath or gmp), date, filter, json, pcre.

CREATE and DROP MySQL grants.

Single-site Installs (i.e. Multi-Site is not supported).

Please note: it is not safe to run WordPress atop a version of PHP that has reached its End of Life. Future releases of this plugin might, out of necessity, drop support for old, unmaintained versions of PHP. To ensure you continue to receive plugin updates, bug fixes, and new features, just make sure PHP is kept up-to-date. 🙂

Premium Version

Apocalypse Meow’s proactive security hardening and attack mitigation features are completely free, and always will be.

The Premium Version is intended for IT professionals like system administrators and developers, who require more control over the data and workflow.

This version comes with a bunch of advanced tools, offering the ability to:

Reset passwords site-wide (with or without email notifications);

Detect and revoke old passwords hashed with MD5;

Rename the dangerous default “admin” and “administrator” usernames;

View and revoke individual user sessions;

Export login data in CSV format;

Backup and restore plugin settings;

Access to hooks and filters to interact with the brute-force login operations;

Log Monitoring

Some robots are so dumb they’ll continue trying to submit credentials even after the login form is replaced, wasting system resources and clogging up the log-in history table. One way to mitigate this is to use a server-side log-monitoring program like Fail2Ban or OSSEC to ban users via the firewall.

Apocalypse Meow produces a 403 error when a banned user requests the login form. Your log-monitoring rule should therefore look for repeated 403 responses to wp-login.php. Additionally, some robots are unable to follow redirects; if your login form requires SSL, you should also ban repeated 301/302 responses to catch those fools.

If you have enabled user enumeration protection with the die() option, requests for ?author=X will produce a 400 response code which can be similarly tracked.

Privacy Policy

When active, this plugin retains security logs of every sign-in attempt made to the CMS backend. This information — including the end user’s public IP address, username, and the status of his or her attempt — is used to help prevent unauthorized system access and maintain Quality of Service for all site visitors.

This information resides fully on the hosting web site and is not shared with any third parties unless the Community Pool feature is enabled, in which case any IP addresses responsible for attacks against your web site are periodically shared with Blobfolio, LLC, the maintainer of the centralized database. If any of those IP addresses are subsequently identified by multiple, independent sources, they will be published to a public blocklist (hosted by Blobfolio).

Data retention is entirely up to the site operator, but by default old records are automatically removed after 90 days.

Please note: Apocalypse Meow DOES NOT integrate with any WordPress GDPR “Personal Data” features. (Selective erasure of audit logs would undermine the security mechanisms provided by this plugin. Haha.)

Képernyőmentések

View and search the login history and manage banned users.

All settings include detailed explanations, suggestions, and links to additional resources. Not only will your site be vastly more secure, you'll learn a lot!

The Community Pool: the login blocklist can ultimately be extended to include community-reported attack data, vastly increasing the effectiveness of the brute-force login mitigation.

Pro: simple but sexy statistics.

Pro: a ton of additional security and management tools for system administrators, including an ability to view and revoke individual user sessions.

Pro: a full suite of WP-CLI tools, hookable functions and filters to interact with or extend the login protection features, read-only configurations, and detailed documentation covering it all!

Telepítés

Nothing fancy! You can use the built-in installer on the Plugins page or extract and upload the apocalypse-meow folder to your plugins directory via FTP.

To install this plugin as Must-Use, download, extract, and upload the apocalypse-meow folder to your mu-plugins directory via FTP. See the MU Caveats for more information about getting WordPress to load an MU plugin that is in a subfolder.

Please note: MU Plugins are removed from the usual update-checking process, so you will need to handle future updates manually.

GYIK

Is this plugin compatible with WPMU?

No, sorry. This plugin may only be installed on single-site WordPress instances.

How does the Community Pool Blocklist Work?

The Community Pool is a new opt-in feature that combines attack data from your site with other sites running in pool mode to produce a global blocklist.

In other words, an attack against one becomes an attack against all!

The blocklist data is conservatively filtered using a tiered and weighted ranking system based on activity shared within the past 24 hours. For an IP address to be eligible for community banning, it must be independently reported from multiple sources and have a significant amount of total failures.

Your site’s whitelist is always respected. Failures from whitelisted IPs will never be sent to the pool, and if the pool declares a ban for an IP you have whitelisted, your site will not ban it.

For more information, check out the Community Pool settings page.

How do I unban a user?

The Login Activity page will show any active bans in the top/right corner. You can click the button corresponding to the victim to remove the ban.

If you accidentally banned yourself and cannot access the backend, you have a few options:

Wait until the defined time has elapsed;

Login from a different IP address (tip: use your cellphone (via data, not Wifi));

Remember: you can (and should) whitelist any IP addresses that you commonly log in from. This is done through the Settings pgae.

Can I see the passwords people tried when logging in?

Of course not! Haha. Apocalypse Meow is here to solve security problems, not create them. Only usernames and IP addresses are stored.

Will the brute-force log-in prevention work if my server is behind a proxy?

As of version 1.5.0, it is now possible to specify an alternative $_SERVER variable Apocalypse Meow should use to determine the visitor’s “true” IP. It is important to note, however, that depending on how that environmental variable is populated, the value might be forgeable. Nonetheless, this should be better than nothing!

I am seeing “You are running Vue in development mode.” in the console?

This informational message appears on Apocalypse Meow admin pages if your site is running in WP_DEBUG mode. This version of Vue.js can provide more useful information for debugging Javascript-related issues.

When WP_DEBUG is set to FALSE (which should be the case for any production sites), the leaner production version of Vue.js is loaded instead. 🙂

Multi-Server Setup

Apocalypse Meow tracks login history in the database. If your WordPress site is spread across multiple load-balanced servers, they must share access to a master database, or else tracking will only occur on a per-node basis.

Vélemények

What a great approach to WordPress security. Lightweight indeed, simple settings, very effective, and LOVE the community feature to block already known IPs from access. Purchased premium license, and you should too!

Great plugin
Very simple and very convenient plugin.
The possibilities of the usual version of the plugin is enough for the "set up and forget" level
At least so far very pleased with his work (pah-pah so as not to jinx it ;-))
Recommend!

Just installed it and activated a lot of checks which all were clearly explained.
Thank you for creating with hobby users in mind.
First thing I tested was the speed, o lala this plugin did not take any speed, very good.
Spending days for security plugins and trying via htaccess I come back after a week of using.